Friday, November 7, 2008

It's been a while since we touched on network port-knocking, like we did back in December in our post on non-maliciously scanning for open network ports. And, in all that time, we've gotten sidetracked so many different ways we're just now getting around to addressing the complement to mass-querying network ports on other hosts in our network (hosts run by folks who, of course, don't mind if we query all of their machine's ports :) Today, we're going to take a look at simply and quickly getting as much dirty information about open ports on your own localhost as possible (By localhost, we mean, the server you're currently logged into and by dirty, we mean "not necessarily useful, but, probably, interesting and, maybe, useful" ;)

This intro-to-the-weekend script is pretty short and sweet. It doesn't require that you be able to do anything other than execute it (and run telnet) on your local system (from it, directly to it, which shouldn't be a security concern) and also doesn't accept any arguments (Technically, it will accept them. Then it will passively ignore them :) It can be run very simply from the command line as:

host # ./porttest.sh <-- Or whatever you decide to rename it

We've elected to have our port scan start at 80 (The traditional http server port) and grab every other (higher) listening port on the localhost and query all of them, as if they were http servers, by sending a simple HTTP/1.0 GET request. As a blanket request to any number of known, and unknown, ports, it's not always the best way to interrogate, but it does get lots of useful information from any sort of web server and a few other sorts of servers as well. The only thing you have to settle down and be comfortable with is the fact that, a lot of the time, you can find out just as much about what's running on a particular port by reading the error message you receive from a bogus query as you can from reading the result of a successful one.

As a "for instance," here's one such error message we received on a trial run: